## Friday, August 13, 2010

### How Strong?

Since this is an elementary math-oriented blog I am NOT going to ask how much weight you can press. I'm going to ask how many passwords you have and how strong they are (resistant to attack).

We all have multiple requests to create passwords, PIN numbers and combinations for our school lockers (oops, obsolete!). We have to remember birthdays and anniversaries. Thus our memories are full and fallible. When prompted to create a new PIN or combination, we usually choose something easy to remember (but also easy for a hacker to guess).

The numbers around this state of affairs are the subject of today's blog.

Have you ever had a padlock like this? I bought mine the day we got our first house, to lock the garage. Since I could set the padlock's combination myself, I chose my wedding anniversary date, so I could recall two numbers with one allotment of memory cells. Because I opened this lock so many times, I can still remember my anniversary, even though it was 12,760 days ago.

This simple combination lock only has 4 numbers, yet there are 10,000 combinations (10 x 10 x 10 x 10). Anyone trying to break it has to spin the rings around manually, while kneeling down in front of my garage door, so it's fairly secure.

I have a lock on a cabinet in my house that only has two tumblers. But each has letters instead of numbers so the sum ( 26 x 26 ) gives 676 possible combinations.

Computer passwords have to be a lot more secure than these locks, as hackers can sit back and let special programs do the work for them. They don't have to twist dials around and worry about you coming home and finding them fiddling with your locks.

A good password is complicated but not impossible to remember. We've got one password at work that's so long we have printed it on an 8.5x11" piece of paper. It's extremely secure, but that's too much for most of us to manage every time we want to get into a website.

Here's a nifty site that does an evaluation of sample passwords just to see how strong they are.

If you are going to check a password there, I suggest you check lots of random ones as well as your own, because almost any site can be analyzed like this Password Meter. Here's a typical evaluation:

There are 270,000 sites with a better three-month global traffic rank than this site. It is ranked #140,000 in India, where 20% of its visitors are located, and is popular in New Zealand, where it is ranked #15,000. About 90% of visitors view one page. Visitors tend to be childless, lower-income men aged under 35 and over 55 who browse from a computer at work.

Are you a typical visitor of the right age and gender? Did any of your passwords measure up? If not, an article I read by an IBM security specialist suggested a pattern easy for you to remember and hard for others to decipher:

Odd-Name   Special-symbol   4-Numeral

Combinations assembled in this way are good and secure. Adding upper and lower case letters are even better. For example:

Boeing#747 is easy and got a 89% rating.

RatRod&1953 did much better at 100%.